puma 4.3.8 → 5.6.9

data/lib/puma/client.rb

@@ -23,6 +23,8 @@ module Puma
 
   class ConnectionError < RuntimeError; end
 
+  class HttpParserError501 < IOError; end
+
   # An instance of this class represents a unique request from a client.
   # For example, this could be a web request from a browser or from CURL.
   #
@@ -35,7 +37,30 @@ module Puma
   # Instances of this class are responsible for knowing if
   # the header and body are fully buffered via the `try_to_finish` method.
   # They can be used to "time out" a response via the `timeout_at` reader.
+  #
   class Client
+
+    # this tests all values but the last, which must be chunked
+    ALLOWED_TRANSFER_ENCODING = %w[compress deflate gzip].freeze
+
+    # chunked body validation
+    CHUNK_SIZE_INVALID = /[^\h]/.freeze
+    CHUNK_VALID_ENDING = Const::LINE_END
+    CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
+
+    # The maximum number of bytes we'll buffer looking for a valid
+    # chunk header.
+    MAX_CHUNK_HEADER_SIZE = 4096
+
+    # The maximum amount of excess data the client sends
+    # using chunk size extensions before we abort the connection.
+    MAX_CHUNK_EXCESS = 16 * 1024
+
+    # Content-Length header value validation
+    CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
+
+    TE_ERR_MSG = 'Invalid Transfer-Encoding'
+
     # The object used for a request with no body. All requests with
     # no body share this one object since it has no state.
     EmptyBody = NullIO.new
@@ -56,6 +81,7 @@ module Puma
       @parser = HttpParser.new
       @parsed_bytes = 0
       @read_header = true
+      @read_proxy = false
       @ready = false
 
       @body = nil
@@ -69,7 +95,9 @@ module Puma
       @hijacked = false
 
       @peerip = nil
+      @listener = nil
       @remote_addr_header = nil
+      @expect_proxy_proto = false
 
       @body_remain = 0
 
@@ -81,10 +109,17 @@ module Puma
 
     attr_writer :peerip
 
-    attr_accessor :remote_addr_header
+    attr_accessor :remote_addr_header, :listener
 
     def_delegators :@io, :closed?
 
+    # Test to see if io meets a bare minimum of functioning, @to_io needs to be
+    # used for MiniSSL::Socket
+    def io_ok?
+      @to_io.is_a?(::BasicSocket) && !closed?
+    end
+
+    # @!attribute [r] inspect
     def inspect
       "#<Puma::Client:0x#{object_id.to_s(16)} @ready=#{@ready.inspect}>"
     end
@@ -96,27 +131,36 @@ module Puma
       env[HIJACK_IO] ||= @io
     end
 
+    # @!attribute [r] in_data_phase
     def in_data_phase
-      !@read_header
+      !(@read_header || @read_proxy)
     end
 
     def set_timeout(val)
-      @timeout_at = Time.now + val
+      @timeout_at = Process.clock_gettime(Process::CLOCK_MONOTONIC) + val
+    end
+
+    # Number of seconds until the timeout elapses.
+    def timeout
+      [@timeout_at - Process.clock_gettime(Process::CLOCK_MONOTONIC), 0].max
     end
 
     def reset(fast_check=true)
       @parser.reset
       @read_header = true
+      @read_proxy = !!@expect_proxy_proto
       @env = @proto_env.dup
       @body = nil
       @tempfile = nil
       @parsed_bytes = 0
       @ready = false
       @body_remain = 0
-      @peerip = nil
+      @peerip = nil if @remote_addr_header
       @in_last_chunk = false
 
       if @buffer
+        return false unless try_to_parse_proxy_protocol
+
         @parsed_bytes = @parser.execute(@env, @buffer, @parsed_bytes)
 
         if @parser.finished?
@@ -129,8 +173,7 @@ module Puma
         return false
       else
         begin
-          if fast_check &&
-              IO.select([@to_io], nil, nil, FAST_TRACK_KA_TIMEOUT)
+          if fast_check && @to_io.wait_readable(FAST_TRACK_KA_TIMEOUT)
             return try_to_finish
           end
         rescue IOError
@@ -143,19 +186,45 @@ module Puma
     def close
       begin
         @io.close
-      rescue IOError
-        Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
+      rescue IOError, Errno::EBADF
+        Puma::Util.purge_interrupt_queue
       end
     end
 
+    # If necessary, read the PROXY protocol from the buffer. Returns
+    # false if more data is needed.
+    def try_to_parse_proxy_protocol
+      if @read_proxy
+        if @expect_proxy_proto == :v1
+          if @buffer.include? "\r\n"
+            if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
+              if md[1]
+                @peerip = md[1].split(" ")[0]
+              end
+              @buffer = md.post_match
+            end
+            # if the buffer has a \r\n but doesn't have a PROXY protocol
+            # request, this is just HTTP from a non-PROXY client; move on
+            @read_proxy = false
+            return @buffer.size > 0
+          else
+            return false
+          end
+        end
+      end
+      true
+    end
+
     def try_to_finish
-      return read_body unless @read_header
+      return read_body if in_data_phase
 
       begin
         data = @io.read_nonblock(CHUNK_SIZE)
       rescue IO::WaitReadable
         return false
-      rescue SystemCallError, IOError, EOFError
+      rescue EOFError
+        # Swallow error, don't log
+      rescue SystemCallError, IOError
         raise ConnectionError, "Connection error detected during read"
       end
 
@@ -172,6 +241,8 @@ module Puma
         @buffer = data
       end
 
+      return false unless try_to_parse_proxy_protocol
+
       @parsed_bytes = @parser.execute(@env, @buffer, @parsed_bytes)
 
       if @parser.finished?
@@ -184,68 +255,20 @@ module Puma
       false
     end
 
-    if IS_JRUBY
-      def jruby_start_try_to_finish
-        return read_body unless @read_header
-
-        begin
-          data = @io.sysread_nonblock(CHUNK_SIZE)
-        rescue OpenSSL::SSL::SSLError => e
-          return false if e.kind_of? IO::WaitReadable
-          raise e
-        end
-
-        # No data means a closed socket
-        unless data
-          @buffer = nil
-          set_ready
-          raise EOFError
-        end
-
-        if @buffer
-          @buffer << data
-        else
-          @buffer = data
-        end
-
-        @parsed_bytes = @parser.execute(@env, @buffer, @parsed_bytes)
-
-        if @parser.finished?
-          return setup_body
-        elsif @parsed_bytes >= MAX_HEADER
-          raise HttpParserError,
-            "HEADER is longer than allowed, aborting client early."
-        end
-
-        false
-      end
-
-      def eagerly_finish
-        return true if @ready
-
-        if @io.kind_of? OpenSSL::SSL::SSLSocket
-          return true if jruby_start_try_to_finish
-        end
-
-        return false unless IO.select([@to_io], nil, nil, 0)
-        try_to_finish
-      end
-
-    else
+    def eagerly_finish
+      return true if @ready
+      return false unless @to_io.wait_readable(0)
+      try_to_finish
+    end
 
-      def eagerly_finish
-        return true if @ready
-        return false unless IO.select([@to_io], nil, nil, 0)
-        try_to_finish
-      end
-    end # IS_JRUBY
+    def finish(timeout)
+      return if @ready
+      @to_io.wait_readable(timeout) || timeout! until try_to_finish
+    end
 
-    def finish
-      return true if @ready
-      until try_to_finish
-        IO.select([@to_io], nil, nil)
-      end
-      true
+    def timeout!
+      write_error(408) if in_data_phase
+      raise ConnectionError
     end
 
     def write_error(status_code)
@@ -259,7 +282,7 @@ module Puma
       return @peerip if @peerip
 
       if @remote_addr_header
-        hdr = (@env[@remote_addr_header] || LOCALHOST_ADDR).split(/[\s,]/).first
+        hdr = (@env[@remote_addr_header] || LOCALHOST_IP).split(/[\s,]/).first
         @peerip = hdr
         return hdr
       end
@@ -267,6 +290,26 @@ module Puma
       @peerip ||= @io.peeraddr.last
     end
 
+    # Returns true if the persistent connection can be closed immediately
+    # without waiting for the configured idle/shutdown timeout.
+    # @version 5.0.0
+    #
+    def can_close?
+      # Allow connection to close if we're not in the middle of parsing a request.
+      @parsed_bytes == 0
+    end
+
+    def expect_proxy_proto=(val)
+      if val
+        if @read_header
+          @read_proxy = true
+        end
+      else
+        @read_proxy = false
+      end
+      @expect_proxy_proto = val
+    end
+
     private
 
     def setup_body
@@ -284,16 +327,27 @@ module Puma
       body = @parser.body
 
       te = @env[TRANSFER_ENCODING2]
-
       if te
-        if te.include?(",")
-          te.split(",").each do |part|
-            if CHUNKED.casecmp(part.strip) == 0
-              return setup_chunked_body(body)
-            end
+        te_lwr = te.downcase
+        if te.include? ','
+          te_ary = te_lwr.split ','
+          te_count = te_ary.count CHUNKED
+          te_valid = te_ary[0..-2].all? { |e| ALLOWED_TRANSFER_ENCODING.include? e }
+          if te_ary.last == CHUNKED && te_count == 1 && te_valid
+            @env.delete TRANSFER_ENCODING2
+            return setup_chunked_body body
+          elsif te_count >= 1
+            raise HttpParserError   , "#{TE_ERR_MSG}, multiple chunked: '#{te}'"
+          elsif !te_valid
+            raise HttpParserError501, "#{TE_ERR_MSG}, unknown value: '#{te}'"
           end
-        elsif CHUNKED.casecmp(te) == 0
-          return setup_chunked_body(body)
+        elsif te_lwr == CHUNKED
+          @env.delete TRANSFER_ENCODING2
+          return setup_chunked_body body
+        elsif ALLOWED_TRANSFER_ENCODING.include? te_lwr
+          raise HttpParserError     , "#{TE_ERR_MSG}, single value must be chunked: '#{te}'"
+        else
+          raise HttpParserError501  , "#{TE_ERR_MSG}, unknown value: '#{te}'"
         end
       end
 
@@ -301,7 +355,12 @@ module Puma
 
       cl = @env[CONTENT_LENGTH]
 
-      unless cl
+      if cl
+        # cannot contain characters that are not \d, or be empty
+        if cl =~ CONTENT_LENGTH_VALUE_INVALID || cl.empty?
+          raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
+        end
+      else
         @buffer = body.empty? ? nil : body
         @body = EmptyBody
         set_ready
@@ -319,6 +378,7 @@ module Puma
 
       if remain > MAX_BODY
         @body = Tempfile.new(Const::PUMA_TMP_BASE)
+        @body.unlink
         @body.binmode
         @tempfile = @body
       else
@@ -331,7 +391,7 @@ module Puma
 
       @body_remain = remain
 
-      return false
+      false
     end
 
     def read_body
@@ -398,7 +458,7 @@ module Puma
         end
 
         if decode_chunk(chunk)
-          @env[CONTENT_LENGTH] = @chunked_content_length
+          @env[CONTENT_LENGTH] = @chunked_content_length.to_s
           return true
         end
       end
@@ -408,19 +468,21 @@ module Puma
       @chunked_body = true
       @partial_part_left = 0
       @prev_chunk = ""
+      @excess_cr = 0
 
       @body = Tempfile.new(Const::PUMA_TMP_BASE)
+      @body.unlink
       @body.binmode
       @tempfile = @body
-
       @chunked_content_length = 0
 
       if decode_chunk(body)
-        @env[CONTENT_LENGTH] = @chunked_content_length
+        @env[CONTENT_LENGTH] = @chunked_content_length.to_s
         return true
       end
     end
 
+    # @version 5.0.0
     def write_chunk(str)
       @chunked_content_length += @body.write(str)
     end
@@ -434,7 +496,15 @@ module Puma
           chunk = chunk[@partial_part_left..-1]
           @partial_part_left = 0
         else
-          write_chunk(chunk) if @partial_part_left > 2 # don't include the last \r\n
+          if @partial_part_left > 2
+            if @partial_part_left == chunk.size + 1
+              # Don't include the last \r
+              write_chunk(chunk[0..(@partial_part_left-3)])
+            else
+              # don't include the last \r\n
+              write_chunk(chunk)
+            end
+          end
           @partial_part_left -= chunk.size
           return false
         end
@@ -449,25 +519,51 @@ module Puma
 
       while !io.eof?
         line = io.gets
-        if line.end_with?("\r\n")
-          len = line.strip.to_i(16)
+        if line.end_with?(CHUNK_VALID_ENDING)
+          # Puma doesn't process chunk extensions, but should parse if they're
+          # present, which is the reason for the semicolon regex
+          chunk_hex = line.strip[/\A[^;]+/]
+          if chunk_hex =~ CHUNK_SIZE_INVALID
+            raise HttpParserError, "Invalid chunk size: '#{chunk_hex}'"
+          end
+          len = chunk_hex.to_i(16)
           if len == 0
             @in_last_chunk = true
             @body.rewind
             rest = io.read
-            last_crlf_size = "\r\n".bytesize
-            if rest.bytesize < last_crlf_size
+            if rest.bytesize < CHUNK_VALID_ENDING_SIZE
               @buffer = nil
-              @partial_part_left = last_crlf_size - rest.bytesize
+              @partial_part_left = CHUNK_VALID_ENDING_SIZE - rest.bytesize
               return false
             else
-              @buffer = rest[last_crlf_size..-1]
+              # if the next character is a CRLF, set buffer to everything after that CRLF
+              start_of_rest = if rest.start_with?(CHUNK_VALID_ENDING)
+                CHUNK_VALID_ENDING_SIZE
+              else # we have started a trailer section, which we do not support. skip it!
+                rest.index(CHUNK_VALID_ENDING*2) + CHUNK_VALID_ENDING_SIZE*2
+              end
+
+              @buffer = rest[start_of_rest..-1]
               @buffer = nil if @buffer.empty?
               set_ready
               return true
             end
           end
 
+          # Track the excess as a function of the size of the
+          # header vs the size of the actual data. Excess can
+          # go negative (and is expected to) when the body is
+          # significant.
+          # The additional of chunk_hex.size and 2 compensates
+          # for a client sending 1 byte in a chunked body over
+          # a long period of time, making sure that that client
+          # isn't accidentally eventually punished.
+          @excess_cr += (line.size - len - chunk_hex.size - 2)
+
+          if @excess_cr >= MAX_CHUNK_EXCESS
+            raise HttpParserError, "Maximum chunk excess detected"
+          end
+
           len += 2
 
           part = io.read(len)
@@ -481,7 +577,12 @@ module Puma
 
           case
           when got == len
-            write_chunk(part[0..-3]) # to skip the ending \r\n
+            # proper chunked segment must end with "\r\n"
+            if part.end_with? CHUNK_VALID_ENDING
+              write_chunk(part[0..-3]) # to skip the ending \r\n
+            else
+              raise HttpParserError, "Chunk size mismatch"
+            end
           when got <= len - 2
             write_chunk(part)
             @partial_part_left = len - part.size
@@ -490,6 +591,10 @@ module Puma
             @partial_part_left = len - part.size
           end
         else
+          if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
+            raise HttpParserError, "maximum size of chunk header exceeded"
+          end
+
           @prev_chunk = line
           return false
         end

data/lib/puma/cluster/worker.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+module Puma
+  class Cluster < Puma::Runner
+    # This class is instantiated by the `Puma::Cluster` and represents a single
+    # worker process.
+    #
+    # At the core of this class is running an instance of `Puma::Server` which
+    # gets created via the `start_server` method from the `Puma::Runner` class
+    # that this inherits from.
+    class Worker < Puma::Runner
+      attr_reader :index, :master
+
+      def initialize(index:, master:, launcher:, pipes:, server: nil)
+        super launcher, launcher.events
+
+        @index = index
+        @master = master
+        @launcher = launcher
+        @options = launcher.options
+        @check_pipe = pipes[:check_pipe]
+        @worker_write = pipes[:worker_write]
+        @fork_pipe = pipes[:fork_pipe]
+        @wakeup = pipes[:wakeup]
+        @server = server
+      end
+
+      def run
+        title  = "puma: cluster worker #{index}: #{master}"
+        title += " [#{@options[:tag]}]" if @options[:tag] && !@options[:tag].empty?
+        $0 = title
+
+        Signal.trap "SIGINT", "IGNORE"
+        Signal.trap "SIGCHLD", "DEFAULT"
+
+        Thread.new do
+          Puma.set_thread_name "wrkr check"
+          @check_pipe.wait_readable
+          log "! Detected parent died, dying"
+          exit! 1
+        end
+
+        # If we're not running under a Bundler context, then
+        # report the info about the context we will be using
+        if !ENV['BUNDLE_GEMFILE']
+          if File.exist?("Gemfile")
+            log "+ Gemfile in context: #{File.expand_path("Gemfile")}"
+          elsif File.exist?("gems.rb")
+            log "+ Gemfile in context: #{File.expand_path("gems.rb")}"
+          end
+        end
+
+        # Invoke any worker boot hooks so they can get
+        # things in shape before booting the app.
+        @launcher.config.run_hooks :before_worker_boot, index, @launcher.events
+
+        begin
+        server = @server ||= start_server
+        rescue Exception => e
+          log "! Unable to start worker"
+          log e.backtrace[0]
+          exit 1
+        end
+
+        restart_server = Queue.new << true << false
+
+        fork_worker = @options[:fork_worker] && index == 0
+
+        if fork_worker
+          restart_server.clear
+          worker_pids = []
+          Signal.trap "SIGCHLD" do
+            wakeup! if worker_pids.reject! do |p|
+              Process.wait(p, Process::WNOHANG) rescue true
+            end
+          end
+
+          Thread.new do
+            Puma.set_thread_name "wrkr fork"
+            while (idx = @fork_pipe.gets)
+              idx = idx.to_i
+              if idx == -1 # stop server
+                if restart_server.length > 0
+                  restart_server.clear
+                  server.begin_restart(true)
+                  @launcher.config.run_hooks :before_refork, nil, @launcher.events
+                  Puma::Util.nakayoshi_gc @events if @options[:nakayoshi_fork]
+                end
+              elsif idx == 0 # restart server
+                restart_server << true << false
+              else # fork worker
+                worker_pids << pid = spawn_worker(idx)
+                @worker_write << "f#{pid}:#{idx}\n" rescue nil
+              end
+            end
+          end
+        end
+
+        Signal.trap "SIGTERM" do
+          @worker_write << "e#{Process.pid}\n" rescue nil
+          restart_server.clear
+          server.stop
+          restart_server << false
+        end
+
+        begin
+          @worker_write << "b#{Process.pid}:#{index}\n"
+        rescue SystemCallError, IOError
+          Puma::Util.purge_interrupt_queue
+          STDERR.puts "Master seems to have exited, exiting."
+          return
+        end
+
+        while restart_server.pop
+          server_thread = server.run
+          stat_thread ||= Thread.new(@worker_write) do |io|
+            Puma.set_thread_name "stat pld"
+            base_payload = "p#{Process.pid}"
+
+            while true
+              begin
+                b = server.backlog || 0
+                r = server.running || 0
+                t = server.pool_capacity || 0
+                m = server.max_threads || 0
+                rc = server.requests_count || 0
+                payload = %Q!#{base_payload}{ "backlog":#{b}, "running":#{r}, "pool_capacity":#{t}, "max_threads": #{m}, "requests_count": #{rc} }\n!
+                io << payload
+              rescue IOError
+                Puma::Util.purge_interrupt_queue
+                break
+              end
+              sleep @options[:worker_check_interval]
+            end
+          end
+          server_thread.join
+        end
+
+        # Invoke any worker shutdown hooks so they can prevent the worker
+        # exiting until any background operations are completed
+        @launcher.config.run_hooks :before_worker_shutdown, index, @launcher.events
+      ensure
+        @worker_write << "t#{Process.pid}\n" rescue nil
+        @worker_write.close
+      end
+
+      private
+
+      def spawn_worker(idx)
+        @launcher.config.run_hooks :before_worker_fork, idx, @launcher.events
+
+        pid = fork do
+          new_worker = Worker.new index: idx,
+                                  master: master,
+                                  launcher: @launcher,
+                                  pipes: { check_pipe: @check_pipe,
+                                           worker_write: @worker_write },
+                                  server: @server
+          new_worker.run
+        end
+
+        if !pid
+          log "! Complete inability to spawn new workers detected"
+          log "! Seppuku is the only choice."
+          exit! 1
+        end
+
+        @launcher.config.run_hooks :after_worker_fork, idx, @launcher.events
+        pid
+      end
+    end
+  end
+end